AMENDMENT AND RESPONSE UNDER 37 C.F.R. § 1.116 - EXPEDITED PROCEDURE 

Serial Number: 10/585,5 17 
Filing Date: July 10, 2006 

Title: DETECTING RELAYED COMMUNICATIONS 



IN THE CLAIMS 

Please amend the claims as follows: 

1 . (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving^,]] a communication from the potential relay device, the 
communication comprising a first information element and a second information element, 
wherein the potential relay device is an original source of said second information element; 

identifying a feature of an original source of said first information element: 

identifying a feature of the potential relay device; and 

[[b)]] determining, using a relay detection system implemented at least in part in 
hardware, that [[a]] the feature of [[an]] the original source of said first information element and 
[[a]] the feature of the potential relay device are features unlikely to relate to a single device, said 
determining being indicative that the potential relay device is a relay device. 

2. (Original) The method of claim 1 wherein said second information element is of a type 
that a relay device of a class of relay devices is unlikely to relay. 

3. (Previously Presented) The method of claim 2 wherein said class of relay devices is 
selected from the group consisting of a SOCKS proxy, an HTTP proxy using the GET method, 
an HTTP proxy using the CONNECT method, an IP router and a NA T device. 

4. {Currently Amended) The method of claim [[I]] I wherein said second information 
element is part of a communication, wherein me communication is of a type selected from the 
group consisting of IP, TCP, ICMP, DNS, HTTP, SMTP, TLS, and SSL. 
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5. (Original) The method of claim 1 wherein said first information element is part of a 
communication, wherein the communication is of a type selected from the group consisting of 
IP, TCP, ICMP, DNS, HTTP, SMTP, TLS, and SSL. 



6. (Cancelled) 



7. (Currently Amended) The method of claim [[6]] I wherein said first and said second 
information elements are sent in two different layers of a protocol stack. 

8. (Canceled) 

9. (Currently Amended) The method of claim [[8]] 1 wherein said stage of determining 
further comprises: 

[[iii)]] comparing said feature of an original source of said first information element with 
said feature of the potential relay device. 

1 0. (Currently Amended) The method of claim [[8]] 1 further comprising: 

[[c)]] obtaining a parameter indicative of said feature of an original source of said first 
information element; and 

[[d)]] obtaining a parameter indicative of said feature of the potential relay device. 
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1 1 . (Currently Amended) The method of claim [[8]] 1 wherein said stage of determining 
further comprises: 

[[iii)]] considering a time at which at least one of said feature of an original source of 
said first information element and said feature of the potential relay device, was discovered. 

12. (Currently Amended) The method of claim 1 further comprising: 

[[c)]] obtaining a parameter indicative of a relationship between said feature of said 
original source of said first information element and said feature of the potential relay device. 

13. (Original) The method of claim 12, wherein said stage of determining includes analyzing 
said parameter indicative of a relationship between said feature of said original source of said 
first information element and said feature of the potential relay device. 

14. (Original) The method of claim 12 wherein said parameter is obtained from at least one 
of said first information element and said second information element. 

15. (Currently Amended) The method of claim 1 further comprising: 

[[c)]] sending an outgoing communication to at least one of said original source of said 
first information element and the potential relay device; and 

[[d)]] Receiving receiving a third information element from said at least one of said 
original source of said first information element and the potential relay device. 
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1 6. (Currently Amended) The method of claim 15, further comprising: 

[[e)]] deriving from said third information element information related to a feature of 
said at least one of said original source of said first information element and the potential relay 
device. 



1 7. (Currently Amended) The method of claim 1 5 further comprising: 

[[hi)]] verifying that an original source of said third information element is said original 
source of said first information element 



18. (Currently Amended) The method of claim 1 5 further comprising: 

[[iii)]] verifying that an original source of said third information element is the potential 
relay device. 



1 9. (Original) The method of claim 1 5 wherein said third information element is selected 
from the group consisting of an ICMP message, an ICMP Echo Reply message, a DNS query, an 
HTTP request, an HTTP response, an HTTP 'Server* header, an IP address, a TCP port, a TCP 
Initial Sequence number, a TCP Initial Window, a WHOIS record, and a reverse DNS record. 



20. (Original) The method of claim 1 wherein at least one of said feature of an original 
source of said first information element and said feature of the potential relay device is a feature 
related to a configuration status. 
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21 . (Original) The method of claim 20 wherein said feature related to a configuration status is 
selected from the group consisting of an operating system type, an operating system version, a 
software type, an HTTP client type, an HTTP server type, an SMTP client type, an SMTP server 
type, a time setting, a clock setting and a time zone setting. 

22. (Original) The method of claim 21 wherein said determining includes examining a 
parameter indicative of said feature related to a configuration status. 

23. (Previously Presented) The method of claim 22 wherein said parameter is selected from 
the group consisting of an HTTP 'User-Agent' header, an RFC 822 'X-Mailer' header, an RFC 
822 'Received' header, an RFC 822 'Date' header, a protocol implementation manner, a TCP/IP 
stack fingerprint, an IP address, a TCP port, a TCP initial sequence number, a TCP initial 
window, a WHOIS record, and a reverse DNS record. 

24. (Original) The method of claim 1 wherein at least one of said feature of a source of said 
first information element and said feature of the potential relay device is a feature related to 
communication performance. 

25. (Original) The method of claim 24 wherein said feature related to communication 
performance is selected from the group consisting of a measured communication performance, a 
measured relative communication performance, and an estimated communication performance. 
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26. (Original) The method of claim 24 wherein said feature related to communication 
performance is selected from the group consisting of a latency of communication, a latency of an 
incoming communication, a latency of an outgoing communication, a round trip time of a 
communication, a communication rate, an incoming communication rate, an outgoing 
communication rate, a maximum communication rate, an incoming maximum communication 
rate, and an outgoing maximum communication rate. 

27. (Original) The method of claim 24 wherein said determining includes examining a 
parameter indicative of said feature related to communication performance. 

28. (Original) The method of claim 27 wherein said parameter is selected from the group 
consisting of time of receipt of an information element, time of sending of an information 
element, a round trip time, a round trip time gap, an IP address, a Whois record, a reverse DNS 
record, and a rate of acknowledged information. 

29. (Original) The method of claim 28 wherein a higher round trip time gap is indicative of a 
higher likelihood that a relay device is being used for malicious purposes. 

30. (Original) The method of claim 24, wherein said feature related to communication 
performance is estimated from information about at least one of said original source of said first 
communication and the potential relay device. 

3 1 . (Previously Presented) The method of claim 30, wherein said information about at least 
one of said original source of said first communication and the potential relay device is selected 
from the group consisting of a location of a device, a reverse DNS record of a devicea's IP 
address, and an administrator of a device. 
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32. (Original) The method of claim 1 wherein at least one of said feature of an original 
source of said first information element and said feature of the potential relay device is selected 
from the group consisting of a subnetwork, an administrator, and a location. 



33. (Previously Presented) The method of claim 32 wherein said determining includes 
examining a parameter indicative of at least one of said feature of a source of said first 
communication and said feature of a source of said second communication, and said parameter is 
selected from the group consisting of an HTTP 'User- Agent' header, an RFC 822 'X-Mailer' 
header, an RFC 822 'Received' header, an RFC 822 'Date' Header, an IP address, a WHOIS 
record, and a reverse DNS record, 



AMENDMENT AND RESPONSE UNDER 37 C.F.R. § 1.116 - EXPEDITED PROCEDURE Page 9 

Serial Number: 10/585,5 17 Dkt: 2043.561US1 

Filing Date: July 10, 2006 

Title: DETECTING RELAYED COMMUNICATIONS 

34. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving, from the potential relay device, a first information element and a 
second information element, wherein the potential relay device is an original source of said 
second information element; 

[[b)]] analyzing a configuration status of an original source of at least one of said first 
and said second information elements, said configuration status selected from the group 
consisting of an operating system type, an operating system version, a software type, an HTTP 
client type, an HTTP server type, an SMTP client type, an SMTP server type, a time setting, a 
clock setting, and a time zone setting; 

identifying a feature of an original source of said first information element; 

identifying a feature of the potential relay device: a nd 

[[c)]] determining, using a relay detection system, whether [[a]] the feature of [[an]] the 
original source of said first information element and [[a]] die feature of the potential relay device 
are features unlikely to relate to a single device. 



35. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving, from the potential relay device, a first information element and a 
second information element, wherein the potential relay device is an original source of -said 
second information element; 

[[b)]] analyzing, using a relay detection system, a feature related to communication 
performance of an original source of at least one of said first and said second information 
elements; [[and]] 
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identifying a feature of an original source of said first information element; 
identifying a feature of the potential relay device; and 

[[c)]] determining, using a relay detection system, whether [[a]] the feature of [[an]] the 
original source of said first information element and [[a]] the feature of the potential relay device 
are features unlikely to relate to a single device. 

36. (Original) The method of claim 35, wherein said feature related to communication 
performance is selected from the group consisting of a latency of communication, a latency of an 
incoming communication, a latency of an outgoing communication, a round trip time of a 
communication, a communication rate, an incoming communication rate, an outgoing 
communication rate, a maximum communication rate, an incoming maximum communication 
rate, and an outgoing maximum communication rate. 

37. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] sending a message to an information source device, triggering said information 
source device to send a DNS request to a DNS server; 

[[b)]] monitoring said DNS request from said information source device to said DNS 
server; [[and]] 

identifying a feature of the information source device from said DNS request; 
identifying a feature of said potential relay device; and 

[[c)]] determining, using a relay detection system, from said DNS r e quest based on the 
feature of the information source device and the feature of the potential relay device whether said 
potential relay device is a relay device. 
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38. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving, from the potential relay device, a first information element and a 
second information element; 

identifying a feature of an original source of said first information element; 

identifying a feature of an original source of said second information element; and 

[[b)]] determining, using a relay detection system, that [[a]] die feature of [[an]] the 
original source of said first information element and [[a]] die feature of [[an]] the original source 
of said second information element are features unlikely to relate to a single device, said 
determining being indicative that the potential relay device is a relay device. 



39. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving, from the potential relay device, a first information element and a 
second information element, wherein the potential relay device is an original source of said 
second information element; 

identifying an address of an original source of said first information element; 

identifying an address of the potential relay device; and 

[[b)]] checking, using a relay detection system, whether a round-trip time to the address 
of the potential relay device is significantly different than a round-trip time to [[an]] the address 
of the original source of said first information element. 



40. (Canceled) 
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41 . (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

[[a)]] receiving, from the potential relay device, a first information element and a 
second information element, wherein the potential relay device is an original source of said 
second information element; 

identifying a location of an original source of said first information element; 

identifying a location of the potential relay device; and 

[[b)]] checking, using a relay detection system, whether [[a]] the location of the 
potential relay device is different than [[a]] the location of an original source of said first 
information element. 



42. (Cancelled) 



43. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

identifying a feature of an original source of a first information element; 

identifying a feature of the potential relay device that transmitted the first information 
element and a second information element, the potential relay device being the original source of 
the second information element; and 
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[[a)]] determining, using a relay detection system, whether a feature of an original 
source of a first information element and a feature of the potential relay device are features 
unlikely to relate to a single device, wherein the potential relay device is a transmitter of said 
first information element and of a second information element, wherein the potential relay device 
is an original source of said second information element wherein a positive result of said 
determining is indicative that the potential relay device is a relay device 



44. (Currently Amended) A system, implemented at least in part in hardware, to determine 
whether a potential relay device is a relay device, the system comprising: 

[[a)]] an information element receiver to receive information elements from a plurality 
of devices including an information source device and the potential relay device; 

a feature discovery module to identify at least one of a feature of the information source 
device and a feature of the potential relay device: and 

[[b)]] a feature incompatibility analyzer, using a feature database, to determine whether 
[[a]] die feature of said information source device and [[a]] the feature of the potential relay 
device are features unlikely to relate to a single device. 

45. (Canceled) 

46. (Original) The system of claim 44, wherein said information element receiver is further 
configured to receive information elements from a monitored host. 

47. (Currently Amended) The system of claim 44, wherein further comprising: 
[[c)]] an outgoing information element sender. 
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48. (Original) The system of claim 44, further comprising: 

[[c)]] a parameter obtainer, for obtaining at least one parameter selected from the group 
consisting of a parameter indicative of a feature of an information source device, a parameter 
indicative of a feature of the potential relay device, and a parameter indicative of whether a 
feature of said information source device and a feature of said potential relay device are features 
unlikely to relate to a single device. 

49. (Original) The system of claim 44, further comprising: 

[[c)]] a feature database for storing a map between pairs of features and data indicative 
of whether said pairs of features are incompatible features. 

50. (Currently Amended) A computer-readable non-transitory storage medium comprising 
instructions, which when executed by a computer cause the computer to perform operations 
comprising: 

[[a)]] receive, from the potential relay device, a first information element and a second 
information element, wherein the potential relay device is an original source of said second 
information element; 

identify a feature of an original source of said first information element; 

identify a feature of said potential relay device; and 

[[b)]] determine whether [[a]] the feature of [[an]] the original source of said first 
information element and [[a]] the feature of said potential relay device are features unlikely to 
relate to a single device, wherein a positive result of said determining is indicative that said 
potential relay device is a relay device. 



